Cloud DNS roles and permissions

This page lists the IAM roles and permissions for Cloud DNS. To search through all roles and permissions, see the role and permission index.

Cloud DNS roles

Role Permissions

Role	Permissions
DNS Administrator (`roles/dns.admin`) Provides read-write access to all Cloud DNS resources. Lowest-level resources where you can grant this role: Managed zone	`compute.networks.get` `compute.networks.list` `dns.changes.` `dns.changes.create` `dns.changes.get` `dns.changes.list` `dns.dnsKeys.` `dns.dnsKeys.get` `dns.dnsKeys.list` `dns.gkeClusters.` `dns.gkeClusters.bindDNSResponsePolicy` `dns.gkeClusters.bindPrivateDNSZone` `dns.managedZoneOperations.` `dns.managedZoneOperations.get` `dns.managedZoneOperations.list` `dns.managedZones.create` `dns.managedZones.delete` `dns.managedZones.get` `dns.managedZones.getIamPolicy` `dns.managedZones.list` `dns.managedZones.update` `dns.networks.` `dns.networks.bindDNSResponsePolicy` `dns.networks.bindPrivateDNSPolicy` `dns.networks.bindPrivateDNSZone` `dns.networks.targetWithPeeringZone` `dns.networks.useHealthSignals` `dns.policies.` `dns.policies.create` `dns.policies.delete` `dns.policies.get` `dns.policies.list` `dns.policies.update` `dns.projects.get` `dns.resourceRecordSets.` `dns.resourceRecordSets.create` `dns.resourceRecordSets.delete` `dns.resourceRecordSets.get` `dns.resourceRecordSets.list` `dns.resourceRecordSets.update` `dns.responsePolicies.` `dns.responsePolicies.create` `dns.responsePolicies.delete` `dns.responsePolicies.get` `dns.responsePolicies.list` `dns.responsePolicies.update` `dns.responsePolicyRules.*` `dns.responsePolicyRules.create` `dns.responsePolicyRules.delete` `dns.responsePolicyRules.get` `dns.responsePolicyRules.list` `dns.responsePolicyRules.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
DNS Peer (`roles/dns.peer`) Access to target networks with DNS peering zones	`dns.networks.targetWithPeeringZone`
DNS Reader (`roles/dns.reader`) Provides read-only access to all Cloud DNS resources. Lowest-level resources where you can grant this role: Managed zone	`compute.networks.get` `dns.changes.get` `dns.changes.list` `dns.dnsKeys.` `dns.dnsKeys.get` `dns.dnsKeys.list` `dns.managedZoneOperations.` `dns.managedZoneOperations.get` `dns.managedZoneOperations.list` `dns.managedZones.get` `dns.managedZones.list` `dns.policies.get` `dns.policies.list` `dns.projects.get` `dns.resourceRecordSets.get` `dns.resourceRecordSets.list` `dns.responsePolicies.get` `dns.responsePolicies.list` `dns.responsePolicyRules.get` `dns.responsePolicyRules.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud DNS Service Agent (`roles/dns.serviceAgent`) Gives Cloud DNS Service Agent access to Cloud Platform resources. Warning: Do not grant service agent roles to any principals except service agents.	`compute.globalNetworkEndpointGroups.attachNetworkEndpoints` `compute.globalNetworkEndpointGroups.create` `compute.globalNetworkEndpointGroups.delete` `compute.globalNetworkEndpointGroups.detachNetworkEndpoints` `compute.globalNetworkEndpointGroups.get` `compute.globalOperations.get` `compute.healthChecks.get`

DNS Administrator

(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

Managed zone

compute.networks.get

compute.networks.list

dns.changes.*

dns.changes.create
dns.changes.get
dns.changes.list

dns.dnsKeys.*

dns.dnsKeys.get
dns.dnsKeys.list

dns.gkeClusters.*

dns.gkeClusters.bindDNSResponsePolicy
dns.gkeClusters.bindPrivateDNSZone

dns.managedZoneOperations.*

dns.managedZoneOperations.get
dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

dns.networks.bindDNSResponsePolicy
dns.networks.bindPrivateDNSPolicy
dns.networks.bindPrivateDNSZone
dns.networks.targetWithPeeringZone
dns.networks.useHealthSignals

dns.policies.*

dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.resourceRecordSets.update

dns.responsePolicies.*

dns.responsePolicies.create
dns.responsePolicies.delete
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicies.update

dns.responsePolicyRules.*

dns.responsePolicyRules.create
dns.responsePolicyRules.delete
dns.responsePolicyRules.get
dns.responsePolicyRules.list
dns.responsePolicyRules.update

resourcemanager.projects.get

resourcemanager.projects.list

DNS Peer

(roles/dns.peer)

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

DNS Reader

(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

Managed zone

compute.networks.get

dns.changes.get

dns.changes.list

dns.dnsKeys.*

dns.dnsKeys.get
dns.dnsKeys.list

dns.managedZoneOperations.*

dns.managedZoneOperations.get
dns.managedZoneOperations.list

dns.managedZones.get

dns.managedZones.list

dns.policies.get

dns.policies.list

dns.projects.get

dns.resourceRecordSets.get

dns.resourceRecordSets.list

dns.responsePolicies.get

dns.responsePolicies.list

dns.responsePolicyRules.get

dns.responsePolicyRules.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud DNS Service Agent

(roles/dns.serviceAgent)

Gives Cloud DNS Service Agent access to Cloud Platform resources.

compute.globalNetworkEndpointGroups.attachNetworkEndpoints

compute.globalNetworkEndpointGroups.create

compute.globalNetworkEndpointGroups.delete

compute.globalNetworkEndpointGroups.detachNetworkEndpoints

compute.globalNetworkEndpointGroups.get

compute.globalOperations.get

compute.healthChecks.get

Cloud DNS permissions

Permission	Included in roles
`dns.changes.create`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.changes.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.changes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.dnsKeys.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.dnsKeys.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.gkeClusters.bindDNSResponsePolicy`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.gkeClusters.bindPrivateDNSZone`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.managedZoneOperations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.managedZoneOperations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.managedZones.create`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.managedZones.delete`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.managedZones.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Composer Shared VPC Agent (`roles/composer.sharedVpcAgent`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.managedZones.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.managedZones.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Composer Shared VPC Agent (`roles/composer.sharedVpcAgent`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Workload Manager Admin (`roles/workloadmanager.admin`) Workload Manager Deployment Admin (`roles/workloadmanager.deploymentAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Attack Surface Management Scanner Service Agent (`roles/securitycenter.attackSurfaceManagementScannerServiceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`dns.managedZones.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`)
`dns.managedZones.update`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.networks.bindDNSResponsePolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.networks.bindPrivateDNSPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.networks.bindPrivateDNSZone`	Owner (`roles/owner`) Editor (`roles/editor`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Workstations Service Agent (`roles/workstations.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.networks.targetWithPeeringZone`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Shared VPC Agent (`roles/composer.sharedVpcAgent`) DNS Administrator (`roles/dns.admin`) DNS Peer (`roles/dns.peer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Managed Flink Service Agent (`roles/managedflink.serviceAgent`) Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Workstations Service Agent (`roles/workstations.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.networks.useHealthSignals`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.policies.create`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.policies.delete`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.policies.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.policies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.policies.update`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.projects.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.resourceRecordSets.create`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.resourceRecordSets.delete`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.resourceRecordSets.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.resourceRecordSets.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Attack Surface Management Scanner Service Agent (`roles/securitycenter.attackSurfaceManagementScannerServiceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.resourceRecordSets.update`	Owner (`roles/owner`) Editor (`roles/editor`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`dns.responsePolicies.create`	Owner (`roles/owner`) Editor (`roles/editor`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.responsePolicies.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.responsePolicies.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.responsePolicies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.responsePolicies.update`	Owner (`roles/owner`) Editor (`roles/editor`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.responsePolicyRules.create`	Owner (`roles/owner`) Editor (`roles/editor`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.responsePolicyRules.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.responsePolicyRules.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.responsePolicyRules.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) DNS Reader (`roles/dns.reader`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)
`dns.responsePolicyRules.update`	Owner (`roles/owner`) Editor (`roles/editor`) Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) DNS Administrator (`roles/dns.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Multi-Cluster Service Discovery Service Agent (`roles/multiclusterservicediscovery.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) VMware Engine Service Agent (`roles/vmwareengine.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`)

Cloud DNS roles and permissions Stay organized with collections Save and categorize content based on your preferences.

Cloud DNS roles

DNS Administrator

DNS Peer

DNS Reader

Cloud DNS Service Agent

Cloud DNS permissions

dns.changes.create

dns.changes.get

dns.changes.list

dns.dnsKeys.get

dns.dnsKeys.list

dns.gkeClusters.bindDNSResponsePolicy

dns.gkeClusters.bindPrivateDNSZone

dns.managedZoneOperations.get

dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.setIamPolicy

dns.managedZones.update

dns.networks.bindDNSResponsePolicy

dns.networks.bindPrivateDNSPolicy

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

dns.networks.useHealthSignals

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.create

dns.resourceRecordSets.delete

dns.resourceRecordSets.get

dns.resourceRecordSets.list

dns.resourceRecordSets.update

dns.responsePolicies.create

dns.responsePolicies.delete

dns.responsePolicies.get

dns.responsePolicies.list

dns.responsePolicies.update

dns.responsePolicyRules.create

dns.responsePolicyRules.delete

dns.responsePolicyRules.get

dns.responsePolicyRules.list

dns.responsePolicyRules.update

Cloud DNS roles and permissions

`dns.changes.create`

`dns.changes.get`

`dns.changes.list`

`dns.dnsKeys.get`

`dns.dnsKeys.list`

`dns.gkeClusters.bindDNSResponsePolicy`

`dns.gkeClusters.bindPrivateDNSZone`

`dns.managedZoneOperations.get`

`dns.managedZoneOperations.list`

`dns.managedZones.create`

`dns.managedZones.delete`

`dns.managedZones.get`

`dns.managedZones.getIamPolicy`

`dns.managedZones.list`

`dns.managedZones.setIamPolicy`

`dns.managedZones.update`

`dns.networks.bindDNSResponsePolicy`

`dns.networks.bindPrivateDNSPolicy`

`dns.networks.bindPrivateDNSZone`

`dns.networks.targetWithPeeringZone`

`dns.networks.useHealthSignals`

`dns.policies.create`

`dns.policies.delete`

`dns.policies.get`

`dns.policies.list`

`dns.policies.update`

`dns.projects.get`

`dns.resourceRecordSets.create`

`dns.resourceRecordSets.delete`

`dns.resourceRecordSets.get`

`dns.resourceRecordSets.list`

`dns.resourceRecordSets.update`

`dns.responsePolicies.create`

`dns.responsePolicies.delete`

`dns.responsePolicies.get`

`dns.responsePolicies.list`

`dns.responsePolicies.update`

`dns.responsePolicyRules.create`

`dns.responsePolicyRules.delete`

`dns.responsePolicyRules.get`

`dns.responsePolicyRules.list`

`dns.responsePolicyRules.update`